On-Premise ServiceNOW & MFA with Hardware Security Key
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-02-2022 03:35 AM
Hi,
We are setting up an on-premise ServiceNOW instance and we have a requirement to set up MFA with a roaming authenticator utilizing the FIDO2 process (in our case, a hardware security key).
Our instance will not have a direct access to public internet, so I am wondering whether it requires one? Does the instance authenticate the connection with an external WebAuthn Relying Party/FIDO2 Server or do we have to set up one for ourselves?
If we do, where do we modify the endpoint parameters? I see some references to SNC.GlideAuthenticationFactor in the script but I can't find any documentation related to it.
Any help with this matter would be appreciated!
Thank you!
BR,
Aleksi
- Labels:
-
Instance Configuration
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-12-2022 08:10 AM
Question for you. Have you been able to register more than one hardware security key? I'm can't seem to get SN to allow a second hardware key to register.
A reply to your question. I would use the keys for MFA even if you are on-prem. If your users have hardware keys already, they are already use to using them. Using a hardware key for MFA is less work then email OTP or using an Authenticator App (which requires a mobile phone). And hardware keys (or more exactly U2F, FIDO2, webauthn) aren't vulnerable to any sort of in-the-middle attack.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-15-2022 12:07 AM
We are still setting the instances up so we aren't at the stage yet to be able to register any hardware keys.
Yes, we have a requirement for using the hardware keys.
The problem is that our on-prem instance will not have access to the internet, so we will need to figure out another way to complete the authentication process using the Relying Party if SN utilizes a 3rd party Relying Party.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-15-2022 05:28 AM
One of the benefits of using hardware security keys is that you don't need the internet to register them and/or authenticate with them.
Damian
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-15-2022 10:59 PM
Ah, that is interesting.
That means that ServiceNOW is the Relying Party in FIDO2 process.
I wonder if I can override the SSL requirement somehow (since we don't have certifications for our sandbox environment).
